Liferayは6年連続でGartner Magic Quadrantのリーダーに。 詳細はこちら

構造的に表示 平面上に表示 ツリー上に表示
スレッド [ 前へ | 次へ ]
Bijan Vakili
HTTP Strict Transport Security
2012/12/27 20:32

Bijan Vakili

ランク: Expert

投稿: 339

参加年月日: 2009/03/10


Currently Liferay forces https using HTTP 302 redirect mechanism.Per Open Web Application Security Project (OWASP) 2012 Security Blitz, the HTTP Strict Transport Security (RFC 6797) is preferred over HTTP 302 redirect since it is less susceptible to a man-in-the-middle attack.

Implementation seems trivial: add the Strict-Transport-Security HTTP field.

Caveat is that itself is not using this; instead it is uses HTTP 301 to redirect from HTTP to HTTPS site.